New World Authentication

1. Oauth2

Unlike the old world auth, access tokens have a 1 hour expiry and refresh tokens have a 6 months expiry. This is in accordance to the best practice of using short lived tokens.

This would mean that clients would need to perform token management.

2. Getting Started

Getting clientID / clientSecret

Work with SAP Concur’s implementation team to obtain a new oauth2 client_id and client_secret and to define the scope of client’s application.

Process will take no longer than 48 hours.

Implementation Team will respond with new client_id, client_secret, company’s refreshToken and expiry date.

Client stores and configures application with this info.

Client applications should store the following tokens and data in their application.

Refresh Token: This token can change although most of the time this value is the same. Client applications should treat all returned refresh tokens as new values and overwrite the stored values with the new values you get from the response.

Refresh Token Expiry: This date should be checked by a daily script and ensure that a refresh_grant is made to keep the refresh token alive indefinitely. If company policy dictates that the token should be allowed to expire, then you can skip this step. Once a refresh token has expired, clients would need to contact SAP Concur’s Implementation team to get a new company token.

3. Token Management

Calling APIs with accessTokens

All APIs within SAP Concur require the calling application present an accessToken in the Header using the “Bearer” keyword.